A critical cross-site scripting vulnerability in the web-based control panel used by StealC malware operators allowed CyberArk researchers to hijack sessions, collect hardware fingerprints, and observe active campaigns. The flaw reveals significant operational security failures among cybercriminals using malware-as-a-service platforms.
In a rare reversal of fortune, researchers have successfully hacked the hackers behind the StealC information-stealing malware. CyberArk's research team discovered and exploited a cross-site scripting (XSS) vulnerability in the web-based control panel that StealC operators use to manage their campaigns. This flaw allowed them to observe active sessions, collect detailed hardware fingerprints, and even hijack panel sessions remotely.
StealC emerged in early 2023 and quickly gained popularity in dark web cybercrime channels. The malware's appeal stemmed from its sophisticated evasion capabilities and extensive data theft features. Throughout 2023 and 2024, the developer continued adding enhancements, culminating in version 2.0 released last April. This update introduced Telegram bot support for real-time alerts and a new builder that could generate customized StealC builds based on templates and specific data theft rules.
The opportunity to analyze StealC's infrastructure arose when the source code for its administration panel was leaked around the time of the version 2.0 release. CyberArk researchers identified an XSS vulnerability that enabled them to collect browser and hardware fingerprints of StealC operators, observe active sessions, steal session cookies, and hijack panel sessions from their own machines.
"By exploiting the vulnerability, we were able to identify characteristics of the threat actor's computers, including general location indicators and computer hardware details," the CyberArk researchers explained. "Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines."
CyberArk deliberately chose not to disclose specific technical details about the XSS vulnerability to prevent StealC operators from quickly identifying and patching the flaw. The researchers' analysis revealed significant operational security failures among the malware's customers. One particularly notable case involved a threat actor known as "YouTubeTA," who hijacked old, legitimate YouTube channels using compromised credentials and planted malicious links to distribute StealC.
Throughout 2025, YouTubeTA ran malware campaigns that collected over 5,000 victim logs, stealing approximately 390,000 passwords and 30 million cookies—though most of these cookies were non-sensitive. Screenshots from the threat actor's panel indicated that most infections occurred when victims searched for cracked versions of Adobe Photoshop and Adobe After Effects.
By leveraging the XSS flaw, researchers could determine that YouTubeTA used an Apple M3-based system with English and Russian language settings, operated in the Eastern European time zone, and accessed the internet from Ukraine. The threat actor's location was exposed when they forgot to connect the StealC panel through a VPN, revealing their real IP address linked to Ukrainian ISP TRK Cable TV.
This case highlights a broader pattern of security failures among cybercriminals using malware-as-a-service (MaaS) platforms. While MaaS enables rapid scaling of malicious operations, it also introduces significant risks of exposure. The centralized nature of these platforms means that vulnerabilities in the infrastructure can compromise all operators using the service.
CyberArk's decision to disclose the XSS flaw now stems from a strategic calculation. Researcher Ari Novick explained that they hope to disrupt StealC's operations, noting "a spike in recent months in the number of StealC operators, possibly in response to the drama around Lumma a couple of months ago." By publicizing the vulnerability's existence, CyberArk aims to cause operators to re-evaluate their use of StealC, potentially creating significant disruption in the MaaS market.
The incident underscores the importance of security hygiene even for threat actors. While sophisticated malware families like StealC incorporate advanced evasion techniques, basic web application vulnerabilities in their management interfaces can create catastrophic exposure. For cybersecurity defenders, this represents a valuable intelligence opportunity—gaining insights into attacker infrastructure, methods, and operational patterns that can inform defensive strategies.
The research also demonstrates the potential for ethical hackers to turn the tables on cybercriminal operations. By identifying and exploiting vulnerabilities in malware infrastructure, security researchers can gather intelligence, disrupt malicious activities, and provide valuable information to the broader security community about emerging threats and attacker methodologies.
As the cybersecurity landscape continues to evolve, such counter-operations may become increasingly common. The StealC case serves as a reminder that even the most sophisticated malware operations can be vulnerable to basic security flaws, and that the same tools and techniques used by attackers can sometimes be turned against them to protect potential victims.
Comments
Please log in or register to join the discussion